DocumentCode :
2176038
Title :
Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach
Author :
Jiang, Xuxian ; Walters, Aaron ; Xu, Dongyan ; Spafford, Eugene H. ; Buchholz, Florian ; Wang, Yi-Min
Author_Institution :
Purdue University, W. Lafayette, IN
fYear :
2006
fDate :
2006
Firstpage :
38
Lastpage :
38
Abstract :
To investigate the exploitation and contamination by self-propagating Internet worms, a provenance-aware tracing mechanism is highly desirable. Provenance unawareness causes difficulties in fast, accurate identification of a worm’s break-in point, and incurs significant log inspection overhead. This paper presents the design, implementation, and evaluation of process coloring, an efficient provenance-aware approach to worm break-in and contamination tracing. More specifically, process coloring assigns a "color", a unique system-wide identifier, to each remotely-accessible server or process. The color will then be either inherited by spawned child processes or diffused indirectly through process actions (e.g., read/write operations). Process coloring brings two major advantages: (1) It enables fast color-based identification of a worm’s break-in point even before detailed log analysis; (2) It naturally partitions log data based on their colors, effectively reducing the volume of log data that need to be examined for worm investigation. A tamper-resistant log collection method is developed based on the virtual machine introspection technique. Our experiments with a number of real-world worms demonstrate the advantages of processing coloring.
Keywords :
Color; Computer science; Computer worms; Contamination; Face detection; Forensics; Inspection; Internet; Performance analysis; Virtual machining;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Distributed Computing Systems, 2006. ICDCS 2006. 26th IEEE International Conference on
ISSN :
1063-6927
Print_ISBN :
0-7695-2540-7
Type :
conf
DOI :
10.1109/ICDCS.2006.69
Filename :
1648825
Link To Document :
بازگشت